Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIV - Issue #65

August 14, 2012

This week Microsoft is expected to make Windows Server 2012 and the
controversial Windows 8 client available for download to TechNet/MSDN
subscribers. Join us with Jason Fossen, SANS Institute Fellow, for a
webcast on what to realistically expect with Microsoft's iPad-killer and
VMware nemesis this Wednesday, August 15 at 1:00PM EDT.
https://www.sans.org/webcasts/windows-8-comingserver-2012-too-95495

Plus Melbourne, Dubai, San Diego, and Johannesburg all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php ***************************************************************************

TOP OF THE NEWS

A proposed change to the US military's standing rules of engagement (SROE) would give cyber experts employed by the military the authority to take action on certain non-military computer systems. The SROE provide guidance for military commanders when they find their troops or systems are under attack and there is not time to consult the president or secretary of defense if action is to be taken before serious harm occurs. Cyberspace is posing special issues for SROE for a number of reasons: the time frame of cyberattacks; the difficulty of identifying the attackers; and the possibility of collateral damage. Some in the military would like the Cyber Command to have the authority to disable servers in foreign countries to prevent malware attacks. The military currently has the authority to take those actions only within its own networks. -http://www.washingtonpost.com/world/national-security/pentagon-proposes-more-robust-role-for-its-cyber-specialists/2012/08/09/1e3478ca-db15-11e1-9745-d9ae6098d493_story.html[Editor's Note (Pescatore): Back in the 1980s I worked for the US Secret Service and when using military (not National Guard) personnel domestically we had to make sure we observed the guidelines around the Posse Comitatus statute which dictates that such use must "be expressly authorized by the Constitution or by act of Congress." It is healthy that we start the dialog on how this applies to cyber-incidents vs. hurricanes and the like. The National Guard has traditionally been the rapid reaction force, with the armed forces staying bound by Posse Comitatus. ]

Hackers Encrypt Medical Records and Demand Ransom (August 10, 2012)

A medical facility in northern Illinois has acknowledged that hackers broke into its computer network and encrypted data, demanding a ransom to be paid for revealing the password to decrypt the data. The Surgeons of Lake County instead turned off the compromised server and contacted authorities. This is not the first time that health data have been held for ransom. Prescription drug benefits management company Express Scripts was the target of cyber criminals who took the data and demanded payment if the company did not want the stolen information made public. -http://www.bloomberg.com/news/2012-08-10/hackers-encrypt-health-records-and-hold-data-for-ransom.html[Editor's Note (Murray): There are two vulnerabilities here. The first is that someone else has write access privilege to the data; necessary to erase the clear-text after creating the cipher text. The second is that either there is only one copy, no backup, or the outsider has access to that too. Note that the encryption step is cute but unnecessary; an attacker could simply create his own copy and then erase the original. ]

The US Justice Department (DOJ) will not ask the Supreme Court to review a case in which a lower court ruled that employees cannot be prosecuted under the Computer Fraud and Abuse Act (CFAA) for merely violating employers' computer use policies. The CFAA was passed in 1984 to help the government prosecute individuals who gained access to computers to steal data or disrupt the machines' operations. The US government has interpreted the law to include violating websites' terms of service and violating company's computer use policies. Earlier this year, the Ninth US Circuit Court of Appeals said that such interpretations would make it possible to prosecute people who lie about their appearance online. -http://www.wired.com/threatlevel/2012/08/computer-fraud-supreme-court/-http://www.wired.com/images_blogs/threatlevel/2012/08/nosaldeclination.pdf

The US Federal Trade Commission (FTC) and Facebook have agreed to the terms of a settlement regarding the social networking site's privacy practices. The settlement requires Facebook to obtain users' "express consent" prior to sharing their information beyond the limitations in users' privacy settings. Facebook must also provide users with "clear and prominent notice" whenever their data are shared. Failure to comply will cost Facebook US $16,000 in civil penalties for each violation. The FTC alleged that Facebook told users they could make their data private, but then allowed the information to be shared and made public. In the settlement, Facebook denies the allegations and admits no guilt. -http://news.cnet.com/8301-1009_3-57490948-83/ftc-settles-facebook-privacy-complaint-sans-google-like-fine/-http://www.computerworld.com/s/article/9230171/FTC_gives_final_approval_to_Facebook_privacy_settlement?taxonomyId=84[Editor's Note (Pescatore): More "prior express consent" or opt-in is a good thing. ]************************** Sponsored Links: **************************** 1) Take the SANS 2nd Survey on BYOD Security Policy and WIN Cash Prizes! http://www.sans.org/info/111599 2) Analyst Webcast: When Breaches Happen: 5 Questions to Prepare for, featuring Senior SANS Analyst Dave Shackleford, Wednesday, August 29 at a special time of Noon EDT. http://www.sans.org/info/111604 3) Secure Configuration Management Demystified, sponsored by Tripwire Tuesday, August 28 at 1 PM EDT. http://www.sans.org/info/111609 ***************************************************************************

Among the email messages stolen from Stratfor late last year are several that have information about the implementation of TrapWire, a domestic surveillance program that gathers data from spots in major cities around the US, encrypts it, and sends it to a secretive central database center. A press release describes TrapWire as being "designed to provide a simple yet powerful means of collecting and recording suspicious activity reports." In an interview, the founder of the company responsible for TrapWire said that it "can collect information about people and vehicles that is more accurate than facial recognition, draw patterns, and do threat assessment of areas that may be under observation from terrorists." WikiLeaks, which has the TrapWire messages posted, has been under a sustained distributed denial-of-service (DDoS) attack that started before the TrapWire documents were posted to the Internet. -https://rt.com/usa/news/stratfor-trapwire-abraxas-wikileaks-313/-http://www.technolog.msnbc.msn.com/technology/technolog/trapwire-surveillance-really-spying-americans-939948[Editor's Note (Murray): Security professionals must be saddened when the government leaks information about sources and methods, which it intends to be secret. ]

Sergey Aleynikov, the former Goldman Sachs computer programmer who earlier this year was cleared of charges that he stole the company's high-frequency trading system source code, has been arrested again, this time on charges of "unlawfully using secret scientific material and unlawfully duplicating computer-related material." -http://www.theregister.co.uk/2012/08/10/goldman_sachs_programmer_re_arrested/

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHackChallenges, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting. Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/